How to detect browser extensions

Learn how browser extensions can be detected and exploited. See how attackers track users and how managed attribution protects your anonymity online.

In December 2024, attackers hijacked the extension of a data loss prevention company (Cyberhaven) that was used by 400,000 customers and pushed malicious updates to exfiltrate cookies, session tokens, and authentication credentials for Facebook and ChatGPT. The poisoned extension remained in the Chrome Web Store for 31 hours, automatically updating on users' browsers without their knowledge.

Worse yet, this wasn't an isolated incident. It was part of a broader campaign targeting at least 35 Chrome extensions and impacting roughly 2.6 million users. That attack was a stark reminder that browser extensions represent one of the most overlooked and exploitable cybersecurity attack surfaces. 

The dual threat: malicious code and digital fingerprinting

Browser extensions pose two distinct but related threats to security professionals and investigators.

The first threat is obvious, as malicious extensions can steal data, log keystrokes, capture screenshots, and exfiltrate sensitive information. Recent research demonstrates that attackers have successfully created extensions capable of harvesting credentials, manipulating web traffic, and bypassing two-factor authentication even after passing through official browser store security reviews.

The second threat, which is more subtle but equally dangerous, is that extensions enable tracking and de-anonymization through browser fingerprinting…and even legitimate extensions with benign functionality expand our digital footprint. Research presented at the 2024 ACM Conference on Computer and Communications Security found that 2,747 Chrome extensions and 572 Firefox extensions were susceptible to fingerprinting techniques at that time. When websites detect the unique combination of installed extensions, they can generate a tracking hash specific to a browser that can follow us across the web even when we've cleared cookies or enabled private browsing.

For security analysts, threat hunters, and investigators conducting sensitive research, this extension profile can reveal organizational affiliations, investigation targets, and operational intent to the adversaries we're monitoring.

Extension vs. plugin: what's the difference?

Before diving deeper, let's be clear that browser extensions and plugins are not the same thing.

Browser extensions are small software programs — typically built with HTML, CSS, and JavaScript — that add functionality to our browser. They integrate directly into the browser environment and can modify how websites appear and behave. Common examples include ad blockers, password managers, and productivity tools. For example, extensions are what we're installing when we visit the Chrome Web Store or Firefox Add-ons marketplace.

Browser plugins, on the other hand, were older executable programs (like Adobe Flash Player or Java) that enabled specific content types. Plugins were pre-compiled binaries that ran with elevated privileges, which created massive security risks. This is why modern browsers have largely phased out plugin support in favor of the more secure (though still risky) extension model.

The old plugin architecture is effectively dead, with Chrome having dropped NPAPI plugin support in 2015 and Firefox following suit in 2017. So, when we talk about current security threats, we're almost exclusively discussing extensions.

Why extensions are so dangerous

According to LayerX's 2024 Browser Security Report, 33% of all extensions within an organization pose a high risk, with 1% of installed extensions confirmed as malicious. Here's what makes them particularly dangerous:

• Broad permissions: Extensions often request permission to "read and change all your data on all websites." This seemingly innocuous permission grants access to everything you do online, including every password entered, every document viewed, and every sensitive communication transmitted
• Invisible updates: Extensions update automatically in the background. GitLab's Threat Intelligence team documented how attackers purchase or compromise previously legitimate extensions, then push malicious updates to established user bases. This results in users who installed a trusted tool months ago having no idea that they're now running compromised code
• Supply chain attacks: The December 2024 campaign demonstrated how attackers use sophisticated phishing to compromise developer accounts, then distribute malicious versions through official channels. The poisoned extensions passed Chrome Web Store security checks because they maintained their original functionality while secretly adding data exfiltration capabilities.
• Evasion techniques: Modern malicious extensions employ advanced obfuscation and delayed execution. They behave normally during security reviews, only activating malicious functionality after accumulating sufficient check-ins to avoid detection. Some extensions strip Content Security Policy headers from websites, completely removing protections designed to prevent cross-site scripting (XSS) attacks.

How adversaries use extensions for tracking

Even when extensions aren't malicious, they enable sophisticated tracking. Websites can query our browser for the presence of specific extensions by attempting to load their web-accessible resources. When a website detects extensions like uBlock Origin, LastPass, Grammarly, or Honey, it adds this information to your browser fingerprint.

Research has demonstrated that the combination of installed extensions can be fingerprinted through their page-visible execution traces and interactions, and these signatures persist even when you use private browsing modes or VPNs. For OSINT researchers and security investigators, this tracking capability is particularly concerning because our extension profile can inadvertently reveal our organizational affiliation, investigation focus, and technical sophistication, among other things.

The average enterprise user has more than 10 extensions installed — with 99% of enterprise users having at least one extension active — and each extension increases our uniqueness, making us more trackable and more vulnerable to counter-surveillance.

How to check the browser extensions you have installed

To make informed decisions about our browser's security posture, we need to know which extensions are installed and what permissions they have. Here's how to examine our extension inventory across the most popular browsers.

Google Chrome

1. Navigate to `chrome://extensions` in your address bar, or click the Extensions icon (the puzzle piece) in the upper-right corner of your browser and select "Manage Extensions."
2. Click "Details" on any extension within the list to view its specific permissions and site access settings
   1. To understand what data an extension can access, click the three-dot menu next to the extension, hover over "This can read and change site data," and you will see options like "When you click the extension," "On [current site]," or "On all sites."
      1. These settings control whether the extension can automatically access all websites visited or only specifically designated sites

Microsoft Edge

1. Go to `edge://extensions` or click the Extensions icon in your toolbar and select "Manage Extensions.”
2. Click the three-dot menu next to any extension and select "Details" to view its permissions
   1. Microsoft Edge shows you which permissions the extension requires, such as "Read your browsing history" or "Display notifications"
      1. You can manage site access permissions using the same "This can read and change site data" options as Chrome

Mozilla Firefox

1. Click the three-line menu icon and select "Add-ons and themes," or navigate to `about:addons`
2. Click on any extension to view basic information, but Firefox does not prominently display permissions in the add-ons manager
   1. To view the full permissions for an installed extension, visit the extension's page on addons.mozilla.org and click the "Add to Firefox" button; this will display the permission prompt without actually reinstalling the extension
      1. Alternatively, install the "Permission Inspector" add-on, which displays permissions for all your installed extensions in one convenient view

Safari (Desktop)

1. Open Safari and click Safari > Settings (or Preferences in older versions) from the menu bar, then click the Extensions tab
2. On the left sidebar, you will see all installed extensions
3. Select any extension to view its permissions on the right side of the window
4. Click the "Edit Websites" button to see and manage per-site permissions, allowing the user to control whether the extension can access all websites, specific sites, or must ask for permission on each site

Note: Safari also indicates when an extension has access to a webpage by tinting its toolbar icon blue (or your system accent color)

Safari Mobile (iPhone/iPad)

On iOS and iPadOS, extension management is handled through the Settings app rather than within Safari itself.

1. Open Settings > Apps > Safari > Extensions
2. Tap on any extension name to view its permissions and manage which websites it can access
   1. You can set permissions to "Allow," "Deny," or "Ask" for individual websites, and configure the "Other Websites" setting to control default behavior for sites not specifically configured

Regardless of which browser we use, we should review our extensions regularly, especially after installing new tools or if we notice unusual browser behavior.

Always pay close particular attention to extensions that request broad permissions like "Read and change all your data on the websites you visit" or "Access your data for all websites." While some extensions genuinely need these permissions to function, an extension that simply changes the appearance of a specific website (for example) does not need such widespread access.

While extensions can make our lives easier, it’s incumbent upon us to know what we install and manage the risk these extensions create when we prioritize convenience over security.

Managed attribution: comprehensive protection

Traditional security approaches fail to address the extension problem adequately. Endpoint protection tools can't see inside the browser's sandboxed environment. VPNs mask IP addresses but do nothing about extension fingerprinting, and even virtual machines leave our digital fingerprint intact.

This is where managed attribution provides a fundamentally different approach. Rather than trying to secure extensions on our local machine, managed attribution platforms like Silo move our entire browsing environment into an isolated, cloud-based architecture. This allows investigators to blend in with their target environment rather than standing out.

• Need to research a threat actor in Eastern Europe?
  • We can appear as a local user with region-appropriate browser characteristics.
• Investigating financial fraud?
  • We can present the browser profile of a typical banking customer.

The platform provides disposable browser sessions that purge all tracking cookies and fingerprinting data between investigations, ensuring that our activities in one research session can't be correlated with another.

Critically, because the browsing environment is fully isolated and cloud-based, there's zero risk from malicious extensions or compromised web content because malware never reaches our network or endpoints.

Here's how it works: Instead of loading web content on our local device, all web code executes in secure, cloud-based virtual browsers. Our physical machine never touches potentially malicious content. More importantly, we gain complete control over how we appear to websites and adversaries, customizing our browser fingerprint, geographic location, time zone, language settings, and apparent extension profile.

At a minimum, organizations should implement application controls restricting which extensions users can install, regularly audit installed extensions across their environment, and consider pinning trusted versions of critical extensions to prevent malicious automatic updates.

But for security teams who want to provide foolproof protection across an enterprise — or for those conducting sensitive investigations — the best practice is to employ platforms that provide necessary functionality without exposing users or their environments to these extension-based threats.

Elevate your digital investigations with Silo Workspace. Try it free for 30 days.

How to check browser extensions FAQ

How can I check my browser extensions for security risks?

You can check your browser extensions by opening your browser’s settings menu and reviewing the installed extensions list. Disable or remove any that you don’t recognize, have poor reviews, or request broad permissions like “read and change all your data on all websites.”

Can websites detect my Chrome extensions?

Yes, websites can detect Chrome extensions through fingerprinting techniques that query installed extensions. Even legitimate extensions reveal identifying traits, allowing sites to track users or infer organizational affiliations despite private browsing or VPN use.

What is browser fingerprinting?

Browser fingerprinting is a tracking technique that identifies a user based on unique browser traits, such as extensions, fonts, and hardware configuration. Unlike cookies, fingerprints persist across sessions, making it difficult to stay anonymous online.

How does managed attribution stop extension-based tracking?

Managed attribution protects against extension fingerprinting by isolating browsing in a secure, cloud-based environment. Investigators use disposable sessions that mask browser profiles, extensions, and location data — ensuring no traceable fingerprint remains across investigations.

What’s the difference between a browser extension and a browser plug-in?

Browser extensions are lightweight programs built with HTML, CSS, and JavaScript that customize how websites look or behave (like ad blockers or password managers). Browser plugins, on the other hand, were older executable programs (like Adobe Flash or Java) that enabled specific content types but ran with elevated privileges, creating security risks. Modern browsers have phased out plugin support in favor of the safer extension model.